How to Protect WordPress Blog From Brute Force Attacks
There are some crazy people out there who will try to hack your blog. One of the most common types of hack attacks is Brute Force Attack, where a hacker runs a script and attempt to login your account by using different combinations of username and password.
We recently suffered a brute force login attack on RoadToBlogging.Com. Whoever did this was trying to log-in to our blog using different usernames like “admin”, “administrator”, “roadtoblogging”. Because of the high numbers of HTTP request to the server, RTB went down.
So whenever I or visitors were trying to access the blog, this error was being shown – “Internal Server Error“. Our other sites on this server were also showing the same error.
However, I was able to stop the attack by contacting with hosting provider. But the In this post, I will be sharing how to protect your WordPress blog from brute force attacks.
Before moving to the tips, I would like to tell you what actually a Brute Force Attack is.
What is Brute Force Attack?
Brute Force Attacks are attacks where hackers rapidly wheel through some directory names, usernames, passwords and IP addresses to get access to private data or Files.
AutoBots or softwares are used to generate a large number of continuous guesses to get the desired data.
This attack in WordPress blogs mainly targets the wp-login.php file to get access to blogs. It tries different usernames and passwords over and over again until it gets in.
Now let’s see how to prevent this attack on your WordPress blog.
1. Avoid Common Usernames and Use a Strong Password
At first I’d recommend you to change your default WordPress username. Don’t use usernames like “admin”, “administrator” or your site name. These usernames are easy to guess. When RoadtoBlogging was attacked, hacker used following usernames.
So avoid these “easy to guess” types of usernames. Set a truly random username.
At the same time, you have to make sure that you are using a strong password. A strong password contains 8+ characters, no dictionary words, uppercase & lowercase letters, numbers, symbols (e.g. !@#$) etc.
You can also use an online strong password generator. One of the popular tools is – Passwords Generator.
2. Use JetPack Brute Force Attack Protection
JetPack is a powerful WordPress plugin by Automattic with a lot of feature. Recently Jetpack has introduced a new feature called ‘Protect’. It helps you to secure your WordPress sites from malicious and unwanted login attempts. That means your blog will be protected from brute force attack.
All you need to do is, install the plugin from here. Once you’ve activated the plugin, ‘Protect’ option will be enabled automatically. However, you can check whether the Protect option is enabled or not by going to WordPress Dashboard > Jetpack > Setting. You can also whitelist an IP address prevents it from being blocked by Jetpack. Just click on ‘Configure’ from ‘Protect’ option.
3. Use CloudFlare CDN
CloudFlare is a free CDN service. You can use it to speed up your site and to make it more secure.
CloudFlare handles all Brute Force Attacks on WordPress blog. I am using CloudFlare on RoadToBlogging. Unfortunately, “Basic Protection Level” in CloudFlare settings was set to ‘Low’ at the time of brute force attack.
Normally, ‘Medium’ and ‘High’ options are good. But if you’re under attack ever just select the option “I am under attack!”. It will work within a short time.
If you are using CloudFlare on your blog, configure the security settings now. If you are not, read How to Setup Free ClouldFlare CDN for WordPress.
4. Use ‘Limit Login Attempts’ WordPress Plugin
If you are using Jetpack plugin, you don’t need to install this plugin.
This plugin hasn’t been updated in over 2 years, but it still works with latest WordPress version. This plugin limits the number of login attempts possible both through normal login as well as using auth cookies.
Here is plugin option page.
This plugin will limit the number of retry attempts when logging in (for each IP). It stops users from further attempt to login after specified number of failed logins.
So if your WordPress blog is attacked you can block attacking IPs from attempting to login over and over again.
5. Hide WordPress Login Page
This is a little bit risky. Only do this if you know what you are doing.
You can hide your wp-login.php file. So that the attackers won’t be able to find that page to attack.
To do that, you will need a Plugin named Secure Hidden Login. This plugin will hide the login page and you can login to your site using a key combination or special button.
You can totally hide the login page and other options. You can also select from a list of symbols to show in your blog.
When you click on that symbol, you will see login options. Otherwise you won’t. I think it’s safe to select Hidden and set a Key Combination to login to your blog.
Check the box “Block wp-login.php” to hide the wp-login.php page. Make sure your .htaccess file has the correct permissions.
And don’t forget to disable this option before uninstalling the plugin.
These are some steps you can take to secure your WordPress blog from attacks. However, if your WordPress blog is under Brute Force Attack here are some things you can do –
- Contact your Hosting Provider immediately. They can help you out for sure.
- If you use CloudFlare, change the Protection Level to “I am under attack!”
Hope this post helped you to protect your WordPress blog from brute force attacks. If you found this useful don’t forget to share the post on Facebook, Twitter and Google Plus.